Use of Information Systems Audit Standards - Auditing Information Systems: Enhancing Performance of the Enterprise

Information Technology Reference

In-Depth Information

Chapter 3

Use of Information Systems Audit Standards

Overview

In our review of how standards are applied or used in an IS audit, we shall refer to the IS

audit process pyramid diagram depicted below (figure 3.1). Under each activity, we will in-

dicate which standards and guidelines are used. It is recommended that you read chapter 2

before reading this chapter.

Before we look at the various standards and guidelines, let us first define what the two terms

mean. We shall use definitions made by ISACA.

A standard is a mandatory requirement, code of practice, or specification approved by a re-

cognized external standards organization, such as International Organization for Standardiz-

ation (ISO) (ISACA Glossary).

ISACA says that standards are mandatory in all cases. The term 'shall' indicates 'must'. Any

deviations from the standard must be addressed prior to completion of the IS audit (ITAF,

2nd edn, ISACA, page 6).

A guideline is a description of a particular way of accomplishing something that is less pre-

scriptive than a procedure (ISACA Glossary).

ISACA says guidelines are not mandatory but adhering to them is strongly recommended.

Although they do allow IS audit and assurance professionals a degree of application free-

dom. Professionals must be able to defend and justify any significant deviation from the

guidelines or the omission of relevant sections of the guidance in the conduct of IS audit and

assurance engagements. This is particularly true if the engagement is more at the IS audit

level. Not all guidelines will be applicable in all situations, but they should always be con-

sidered (ITAF, 2nd edn, ISACA, page 6).

All the standards we will be referring to in this chapter can be found on the ISACA website

IT audit and assurance standards page. It is advisable that you download the ITAF second

edition for reference as you read through this chapter. Standards use 1000 (for general stand-

ards), 1200 (for performance standards), and 1400 (for reporting standards) series code.

Guidelines use 2000 (for general guidelines), 2200 (for performance standards), and 2400

(for reporting standards) series codes. It is important to remember these codes so that you

are able to distinguish between standards and guidelines.

Search WWH ::

Custom Search

Home